chore: Bump @lavamoat/webpack from 1.2.0 to 1.5.0 (#3659)

Bumps
[@lavamoat/webpack](https://github.com/LavaMoat/lavamoat/tree/HEAD/packages/webpack)
from 1.2.0 to 1.5.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/LavaMoat/lavamoat/releases"><code>@​lavamoat/webpack</code>'s
releases</a>.</em></p>
<blockquote>
<h2>webpack: v1.5.0</h2>
<h2><a
href="https://github.com/LavaMoat/LavaMoat/compare/webpack-v1.4.0...webpack-v1.5.0">1.5.0</a>
(2025-10-01)</h2>
<h3>Features</h3>
<ul>
<li><strong>webpack,core:</strong> Add a meta field to policy resource,
report webpack optimizations to it. (<a
href="https://github.com/LavaMoat/LavaMoat/commit/a53b434e21e074d2261a4e84b85e33fe8aa87278">a53b434</a>)</li>
<li><strong>webpack:</strong> use the final module info in connections
to handle the optimizations webpack sideEffect option does. wip (<a
href="https://github.com/LavaMoat/LavaMoat/commit/9c7b3050460b4cc79b04ac422bdfb69540893bd9">9c7b305</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>webpack:</strong> strip policy meta from the policy that
goes into the bundle, fix related tests (<a
href="https://github.com/LavaMoat/LavaMoat/commit/645d0f2311a9871694b6bf14bb4ce3c81b2311c8">645d0f2</a>)</li>
</ul>
<h3>Dependencies</h3>
<ul>
<li>The following workspace dependencies were updated
<ul>
<li>dependencies
<ul>
<li><code>@​lavamoat/types</code> bumped from ^0.0.1 to ^0.1.0</li>
<li>lavamoat-core bumped from ^16.7.0 to ^16.7.1</li>
</ul>
</li>
</ul>
</li>
</ul>
<h2>webpack: v1.4.0</h2>
<h2><a
href="https://github.com/LavaMoat/LavaMoat/compare/webpack-v1.3.2...webpack-v1.4.0">1.4.0</a>
(2025-09-25)</h2>
<h3>Features</h3>
<ul>
<li><strong>webpack:</strong> document and officially release scuttling
in webpack plugin (<a
href="https://redirect.github.com/LavaMoat/LavaMoat/issues/1829">#1829</a>)
(<a
href="https://github.com/LavaMoat/LavaMoat/commit/9c83030d97371478bf59b10d636e63168bd8473d">9c83030</a>)</li>
<li><strong>webpack:</strong> prevent webpack from eliminating reexports
and failing policy enforcement (<a
href="https://redirect.github.com/LavaMoat/LavaMoat/issues/1827">#1827</a>)
(<a
href="https://github.com/LavaMoat/LavaMoat/commit/5f4d4fcdf6395bd749918d2b6bed7c5e822629e2">5f4d4fc</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>webpack:</strong> adjust MessageEvent repair to reliably
work in the bizarre context of Firefox webextension contentscript (<a
href="https://redirect.github.com/LavaMoat/LavaMoat/issues/1830">#1830</a>)
(<a
href="https://github.com/LavaMoat/LavaMoat/commit/33d83d7402f9b914c7f4d7f9cd18f979c2f406c5">33d83d7</a>)</li>
</ul>
<h3>Dependencies</h3>
<ul>
<li>The following workspace dependencies were updated
<ul>
<li>dependencies
<ul>
<li>lavamoat-core bumped from ^16.6.2 to ^16.7.0</li>
</ul>
</li>
</ul>
</li>
</ul>
<h2>webpack: v1.3.2</h2>
<h2><a
href="https://github.com/LavaMoat/LavaMoat/compare/webpack-v1.3.1...webpack-v1.3.2">1.3.2</a>
(2025-09-22)</h2>
<h3>Dependencies</h3>
<ul>
<li>The following workspace dependencies were updated</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/LavaMoat/LavaMoat/blob/main/packages/webpack/CHANGELOG.md"><code>@​lavamoat/webpack</code>'s
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/LavaMoat/LavaMoat/compare/webpack-v1.4.0...webpack-v1.5.0">1.5.0</a>
(2025-10-01)</h2>
<h3>Features</h3>
<ul>
<li><strong>webpack,core:</strong> Add a meta field to policy resource,
report webpack optimizations to it. (<a
href="https://github.com/LavaMoat/LavaMoat/commit/a53b434e21e074d2261a4e84b85e33fe8aa87278">a53b434</a>)</li>
<li><strong>webpack:</strong> use the final module info in connections
to handle the optimizations webpack sideEffect option does. wip (<a
href="https://github.com/LavaMoat/LavaMoat/commit/9c7b3050460b4cc79b04ac422bdfb69540893bd9">9c7b305</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>webpack:</strong> strip policy meta from the policy that
goes into the bundle, fix related tests (<a
href="https://github.com/LavaMoat/LavaMoat/commit/645d0f2311a9871694b6bf14bb4ce3c81b2311c8">645d0f2</a>)</li>
</ul>
<h3>Dependencies</h3>
<ul>
<li>The following workspace dependencies were updated
<ul>
<li>dependencies
<ul>
<li><code>@​lavamoat/types</code> bumped from ^0.0.1 to ^0.1.0</li>
<li>lavamoat-core bumped from ^16.7.0 to ^16.7.1</li>
</ul>
</li>
</ul>
</li>
</ul>
<h2><a
href="https://github.com/LavaMoat/LavaMoat/compare/webpack-v1.3.2...webpack-v1.4.0">1.4.0</a>
(2025-09-25)</h2>
<h3>Features</h3>
<ul>
<li><strong>webpack:</strong> document and officially release scuttling
in webpack plugin (<a
href="https://redirect.github.com/LavaMoat/LavaMoat/issues/1829">#1829</a>)
(<a
href="https://github.com/LavaMoat/LavaMoat/commit/9c83030d97371478bf59b10d636e63168bd8473d">9c83030</a>)</li>
<li><strong>webpack:</strong> prevent webpack from eliminating reexports
and failing policy enforcement (<a
href="https://redirect.github.com/LavaMoat/LavaMoat/issues/1827">#1827</a>)
(<a
href="https://github.com/LavaMoat/LavaMoat/commit/5f4d4fcdf6395bd749918d2b6bed7c5e822629e2">5f4d4fc</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>webpack:</strong> adjust MessageEvent repair to reliably
work in the bizarre context of Firefox webextension contentscript (<a
href="https://redirect.github.com/LavaMoat/LavaMoat/issues/1830">#1830</a>)
(<a
href="https://github.com/LavaMoat/LavaMoat/commit/33d83d7402f9b914c7f4d7f9cd18f979c2f406c5">33d83d7</a>)</li>
</ul>
<h3>Dependencies</h3>
<ul>
<li>The following workspace dependencies were updated
<ul>
<li>dependencies
<ul>
<li>lavamoat-core bumped from ^16.6.2 to ^16.7.0</li>
</ul>
</li>
</ul>
</li>
</ul>
<h2><a
href="https://github.com/LavaMoat/LavaMoat/compare/webpack-v1.3.1...webpack-v1.3.2">1.3.2</a>
(2025-09-22)</h2>
<h3>Dependencies</h3>
<ul>
<li>The following workspace dependencies were updated
<ul>
<li>dependencies
<ul>
<li>lavamoat-core bumped from ^16.6.1 to ^16.6.2</li>
</ul>
</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/LavaMoat/LavaMoat/commit/86d2258292a10b9bd36b480ebb9fcb789ba210ce"><code>86d2258</code></a>
chore: release main (<a
href="https://github.com/LavaMoat/lavamoat/tree/HEAD/packages/webpack/issues/1834">#1834</a>)</li>
<li><a
href="https://github.com/LavaMoat/LavaMoat/commit/645d0f2311a9871694b6bf14bb4ce3c81b2311c8"><code>645d0f2</code></a>
fix(webpack): strip policy meta from the policy that goes into the
bundle, fi...</li>
<li><a
href="https://github.com/LavaMoat/LavaMoat/commit/1dbc4c9b9450370b7403716850aed576fe04335e"><code>1dbc4c9</code></a>
chore: type niceties</li>
<li><a
href="https://github.com/LavaMoat/LavaMoat/commit/a53b434e21e074d2261a4e84b85e33fe8aa87278"><code>a53b434</code></a>
feat(webpack,core): Add a meta field to policy resource, report webpack
optim...</li>
<li><a
href="https://github.com/LavaMoat/LavaMoat/commit/9c7b3050460b4cc79b04ac422bdfb69540893bd9"><code>9c7b305</code></a>
feat(webpack): use the final module info in connections to handle the
optimiz...</li>
<li><a
href="https://github.com/LavaMoat/LavaMoat/commit/d54ff3b0f252ce36ac85e1404a849a51b2ef4917"><code>d54ff3b</code></a>
secret prototype repair for FF contentscript sandbox (<a
href="https://github.com/LavaMoat/lavamoat/tree/HEAD/packages/webpack/issues/1832">#1832</a>)</li>
<li><a
href="https://github.com/LavaMoat/LavaMoat/commit/e837fbfedd74d181e6cacbfdc28bda00b0d3a508"><code>e837fbf</code></a>
chore: release main (<a
href="https://github.com/LavaMoat/lavamoat/tree/HEAD/packages/webpack/issues/1828">#1828</a>)</li>
<li><a
href="https://github.com/LavaMoat/LavaMoat/commit/9c83030d97371478bf59b10d636e63168bd8473d"><code>9c83030</code></a>
feat(webpack): document and officially release scuttling in webpack
plugin (#...</li>
<li><a
href="https://github.com/LavaMoat/LavaMoat/commit/5f4d4fcdf6395bd749918d2b6bed7c5e822629e2"><code>5f4d4fc</code></a>
feat(webpack): prevent webpack from eliminating reexports and failing
policy ...</li>
<li><a
href="https://github.com/LavaMoat/LavaMoat/commit/33d83d7402f9b914c7f4d7f9cd18f979c2f406c5"><code>33d83d7</code></a>
fix(webpack): adjust MessageEvent repair to reliably work in the bizarre
cont...</li>
<li>Additional commits viewable in <a
href="https://github.com/LavaMoat/lavamoat/commits/webpack-v1.5.0/packages/webpack">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@lavamoat/webpack&package-manager=npm_and_yarn&previous-version=1.2.0&new-version=1.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Upgrades `@lavamoat/webpack` to 1.5.0 with related lockfile updates
and tightens LavaMoat policy env access plus a new parser allowance.
> 
> - **Build/Deps**
> - Upgrade `@lavamoat/webpack` to `^1.5.0` in
`packages/snaps-execution-environments/package.json`.
> - Lockfile updates: add `@lavamoat/types@^0.1.0`; bump `lavamoat-core`
to `16.7.1`, `lavamoat-tofu` to `8.0.11`, `@babel/parser` to `7.28.3`,
and `@babel/types` to `7.28.4`.
> - **LavaMoat Policy** (`lavamoat/build-system/policy.json`)
> - Replace `process.env` with `process.env.BABEL_TYPES_8_BREAKING`
under `@metamask/snaps-utils>@babel/types` globals.
>   - Add `depcheck>@babel/parser` to `@lavamoat/webpack` packages.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
c054b56. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: MetaMask Bot <[email protected]>

Author: dependabot[bot]

packages/snaps-execution-environments/lavamoat/build-system/policy.json

@@ -52,7 +52,7 @@
     "@metamask/snaps-utils>@babel/types": {
       "globals": {
         "console.warn": true,
-        "process.env": true
+        "process.env.BABEL_TYPES_8_BREAKING": true
       },
       "packages": {
         "@metamask/snaps-utils>@babel/types>@babel/helper-string-parser": true,
@@ -130,6 +130,7 @@
         "process._rawDebug": true
       },
       "packages": {
+        "depcheck>@babel/parser": true,
         "lavamoat>@lavamoat/aa": true,
         "@lavamoat/webpack>browser-resolve": true,
         "lavamoat>lavamoat-core": true,

packages/snaps-execution-environments/package.json

@@ -82,7 +82,7 @@
     "@esbuild-plugins/node-modules-polyfill": "^0.2.2",
     "@lavamoat/allow-scripts": "^3.4.0",
     "@lavamoat/lavatube": "^1.0.0",
-    "@lavamoat/webpack": "^1.2.0",
+    "@lavamoat/webpack": "^1.5.0",
     "@metamask/auto-changelog": "^5.0.2",
     "@swc/core": "1.11.31",
     "@swc/jest": "^0.2.38",

yarn.lock

@@ -418,14 +418,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@babel/parser@npm:^7.1.0, @babel/parser@npm:^7.14.7, @babel/parser@npm:^7.20.15, @babel/parser@npm:^7.20.7, @babel/parser@npm:^7.21.3, @babel/parser@npm:^7.23.0, @babel/parser@npm:^7.23.9, @babel/parser@npm:^7.25.4, @babel/parser@npm:^7.27.1, @babel/parser@npm:^7.27.2, @babel/parser@npm:^7.27.3, @babel/parser@npm:^7.27.5":
-  version: 7.27.5
-  resolution: "@babel/parser@npm:7.27.5"
+"@babel/parser@npm:7.28.3, @babel/parser@npm:^7.1.0, @babel/parser@npm:^7.14.7, @babel/parser@npm:^7.20.15, @babel/parser@npm:^7.20.7, @babel/parser@npm:^7.21.3, @babel/parser@npm:^7.23.0, @babel/parser@npm:^7.23.9, @babel/parser@npm:^7.25.4, @babel/parser@npm:^7.27.1, @babel/parser@npm:^7.27.2, @babel/parser@npm:^7.27.3, @babel/parser@npm:^7.27.5":
+  version: 7.28.3
+  resolution: "@babel/parser@npm:7.28.3"
   dependencies:
-    "@babel/types": "npm:^7.27.3"
+    "@babel/types": "npm:^7.28.2"
   bin:
     parser: ./bin/babel-parser.js
-  checksum: 10/0ad671be7994dba7d31ec771bd70ea5090aa34faf73e93b1b072e3c0a704ab69f4a7a68ebfb9d6a7fa455e0aa03dfa65619c4df6bae1cf327cba925b1d233fc4
+  checksum: 10/9fa08282e345b9d892a6757b2789a9a53a00f7b7b34d6254a4ee0bf32c5eb275919091ea96d6f136a948d5de9c8219235957d04a36ab7378a9d93a4cf0799155
   languageName: node
   linkType: hard
 
@@ -1480,13 +1480,13 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@babel/types@npm:^7.0.0, @babel/types@npm:^7.20.7, @babel/types@npm:^7.22.15, @babel/types@npm:^7.22.19, @babel/types@npm:^7.22.5, @babel/types@npm:^7.23.0, @babel/types@npm:^7.25.4, @babel/types@npm:^7.27.1, @babel/types@npm:^7.27.3, @babel/types@npm:^7.3.3, @babel/types@npm:^7.4.4":
-  version: 7.27.6
-  resolution: "@babel/types@npm:7.27.6"
+"@babel/types@npm:^7.0.0, @babel/types@npm:^7.20.7, @babel/types@npm:^7.22.15, @babel/types@npm:^7.22.19, @babel/types@npm:^7.22.5, @babel/types@npm:^7.23.0, @babel/types@npm:^7.25.4, @babel/types@npm:^7.27.1, @babel/types@npm:^7.27.3, @babel/types@npm:^7.28.2, @babel/types@npm:^7.3.3, @babel/types@npm:^7.4.4":
+  version: 7.28.4
+  resolution: "@babel/types@npm:7.28.4"
   dependencies:
     "@babel/helper-string-parser": "npm:^7.27.1"
     "@babel/helper-validator-identifier": "npm:^7.27.1"
-  checksum: 10/174741c667775680628a09117828bbeffb35ea543f59bf80649d0d60672f7815a0740ddece3cca87516199033a039166a6936434131fce2b6a820227e64f91ae
+  checksum: 10/db50bf257aafa5d845ad16dae0587f57d596e4be4cbb233ea539976a4c461f9fbcc0bf3d37adae3f8ce5dcb4001462aa608f3558161258b585f6ce6ce21a2e45
   languageName: node
   linkType: hard
 
@@ -2761,18 +2761,29 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@lavamoat/webpack@npm:^1.2.0":
-  version: 1.2.0
-  resolution: "@lavamoat/webpack@npm:1.2.0"
+"@lavamoat/types@npm:^0.1.0":
+  version: 0.1.0
+  resolution: "@lavamoat/types@npm:0.1.0"
   dependencies:
+    "@babel/types": "npm:7.27.3"
+  checksum: 10/22017b720c206b97715bfdb867e46d58b17a1868dd4bf40d6764e63bc90b58d5c45cd5c801fb55d82a5982e4f7b745161b68c8aab6dbc918cb68cf390c72abbc
+  languageName: node
+  linkType: hard
+
+"@lavamoat/webpack@npm:^1.5.0":
+  version: 1.5.0
+  resolution: "@lavamoat/webpack@npm:1.5.0"
+  dependencies:
+    "@babel/parser": "npm:7.28.3"
     "@lavamoat/aa": "npm:^4.3.4"
+    "@lavamoat/types": "npm:^0.1.0"
     browser-resolve: "npm:2.0.0"
     json-stable-stringify: "npm:1.3.0"
-    lavamoat-core: "npm:^16.5.1"
+    lavamoat-core: "npm:^16.7.1"
     ses: "npm:1.14.0"
   peerDependencies:
     webpack: ^5.80.2
-  checksum: 10/bef023b5e044f5f458b2cf4324286ffa538cebebdca39bf63ebb4b8011dbd5fee22febf964a28a037758e30ecc1f21fc74ea5fcd3d4aff1869a5211a498f0477
+  checksum: 10/aaa44ce8aebd13f2d399e4240caf6dfb44bf01630cd66a7f82853f5b881e5421496c3648302e41639b9b0c0cdd1c0e750b318b6ff1fc0a61648a553c866af141
   languageName: node
   linkType: hard
 
@@ -4310,7 +4321,7 @@ __metadata:
     "@esbuild-plugins/node-modules-polyfill": "npm:^0.2.2"
     "@lavamoat/allow-scripts": "npm:^3.4.0"
     "@lavamoat/lavatube": "npm:^1.0.0"
-    "@lavamoat/webpack": "npm:^1.2.0"
+    "@lavamoat/webpack": "npm:^1.5.0"
     "@metamask/auto-changelog": "npm:^5.0.2"
     "@metamask/json-rpc-engine": "npm:^10.1.0"
     "@metamask/object-multiplex": "npm:^2.1.0"
@@ -13645,33 +13656,35 @@ __metadata:
   languageName: node
   linkType: hard
 
-"lavamoat-core@npm:^16.5.0, lavamoat-core@npm:^16.5.1":
-  version: 16.5.1
-  resolution: "lavamoat-core@npm:16.5.1"
+"lavamoat-core@npm:^16.5.0, lavamoat-core@npm:^16.7.1":
+  version: 16.7.1
+  resolution: "lavamoat-core@npm:16.7.1"
   dependencies:
     "@babel/types": "npm:7.27.3"
+    "@lavamoat/types": "npm:^0.1.0"
     json-stable-stringify: "npm:1.3.0"
-    lavamoat-tofu: "npm:^8.0.8"
+    lavamoat-tofu: "npm:^8.0.11"
     merge-deep: "npm:3.0.3"
     ses: "npm:1.14.0"
   bin:
     lavamoat-sort-policy: src/policy-sort-cli.js
-  checksum: 10/91f043b733902b1af02f5efa1862598c21f80fba14d531a276ff6017a6bf51b01dd9cee4cd241eee2279acf59847c220f473d364d1d88290f4e67a029dfb4a5a
+  checksum: 10/e15b3d83f2b838942f65159460d5f7394ce0f41122ed682db61c6eb2ad0760814e58bce6e3f9037604bf16f4190c9f5328d75cb0f550e10729092534365f21e7
   languageName: node
   linkType: hard
 
-"lavamoat-tofu@npm:^8.0.8":
-  version: 8.0.8
-  resolution: "lavamoat-tofu@npm:8.0.8"
+"lavamoat-tofu@npm:^8.0.11, lavamoat-tofu@npm:^8.0.8":
+  version: 8.0.11
+  resolution: "lavamoat-tofu@npm:8.0.11"
   dependencies:
     "@babel/parser": "npm:7.27.3"
     "@babel/traverse": "npm:7.27.3"
     "@babel/types": "npm:7.27.3"
+    "@lavamoat/types": "npm:^0.1.0"
     "@types/babel__traverse": "npm:7.20.7"
     type-fest: "npm:4.41.0"
   peerDependencies:
     lavamoat-core: ">15.4.0"
-  checksum: 10/f1d807ab5f11fa666e4c1b975270dcbc7592e4bc782ae6535fa318bd220d8fb7465d617cf9acd52f243e2b753f5dc8791ed3ef86eaed47645f6bb15a01c0a603
+  checksum: 10/4435814fae3934ca41d8a8ef7962b86a556cb3a2000d50d200d5afdabf43984231ceabf0dc5aa74e8890967f42d5ac01e7c8e78c69804b224ad7ead56a9b4abb
   languageName: node
   linkType: hard